MEMORANDUM of AGREEMENT 



BETWEEN 

THE U.S. DEPARTMENT OF STATE 
BUREAU OF DIPLOMATIC SECURITY 

AND 

XXX FEDERAL GOVERNMENT DEPARTMENT/AGENCY 

IAA Number: DS/TPS/SECD-XXX-01 

I. PURPOSE : The purpose of this Agreement is to set forth the terms and conditions 

governing the arrangement between the XXX and the U.S. Department of State (DoS), 
Bureau of Diplomatic Security (DS), Office of Training and Performance Standards, 
Security Engineering and Computer Security Division (DS/TPS/SECD) under which DS 
will provide Comprehensive Role-Based Information Assurance (IA) and Cybersecurity 
training services to the XXX. The training is for personnel with Information System 
Security Officer (ISSO) responsibilities as defined in National Institute of Standards and 
Technology (NIST) guidance and U.S. Department XXX policies and procedures. 

H. B A CKGROUND : DoS has developed a reputation as a leader in training United States 
Government (USG) employees in many areas. In particular, DS has established and 
maintains a comprehensive information systems and security training capacity. By entering 
into this Agreement, XXX will rely upon the DS Role-Based Information Assurance 
Training Curricula to train and develop an XXX corps of information security professionals 
with the knowledge and capabilities to implement and provide information assurance and 
information security services recognized as USG industry best practices. 

III. RESPONSIBILITIES OF THE PARTIES : In conjunction with the tasks outlined in the 
Statement of Work (Appendix 1), the responsibilities of the parties to this Agreement are as 
follows: 
a. XXX' s Responsibilities : 

1 . Ensure that funds are available to cover the cost of requested services and that 
payments are made to DS in a timely manner. Funds will cover: course 
development; provision, operation, and maintenance of course equipment; 
provision of classroom and student materials; setup of classrooms; and instructors. 
Funds will be transferred upon execution of the MOA. If unique circumstances 
exist, the XXX and DoS POCs can modify the transfer deadline to meet the needs 
of the program. 

2. Identify the courses to be customized for cybersecurity workforce training and 
designate class attendees prior to the classes. XXX will ensure a minimum of 
eight students and a maximum of 14 students will attend, depending on the course. 

3. Provide technical direction for the customization of the IA role-based training 
courses. This includes providing Subject Matter Experts (SME) that will review 
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course content prepared by DS, consolidate XXX comments and submit to DS, 
and ensure that XXX responds in an agreed upon review cycle. 



4. Ensure that a XXX SME is present for the entirety of each class. 

5. Review and approve all XXX customized course curricula. 

6. Provide DS a roster of students and registration information no later than five (5) 
days prior to class commencement. Personnel who receive training from DS must 
submit an Authorization, Agreement and Certification of Training, OPM Form 
SF-182, to the DS Registrar. 

7. Set student proficiency criteria upon course completion. 

8. Provide classrooms as necessary at XXX facilities. 

9. Ensure that, if it is necessary to bring the DS mobile training computer network, 
required approvals are obtained, and all equipment is properly safeguarded for the 
duration of the class. 

10. Upon successful implementation of the pilot courses and final SME revision, 
accept the course materials. 

b. DS's Responsibilities : 

Program Management 

1. Provide an approved Project Plan after receipt of funding. 

2. Provide program management and oversight for all tasks within this Agreement, 
as well as any derivative sub-contracts. 

3. Provide quarterly reports and be available for meetings that include a summary of 
all work performed or planned. 

4. Utilize expertise currently existing within DS and/or other Federal, academic, and 
private entities when needed and if available to DS. 

5. Provide necessary assistance in assessing and training the XXX information 
assurance security professionals and other cybersecurity workforce as may be 
identified by XXX. 

6. Perform all work as set forth in the attached Statement of Work. 



Course Customization 

7. Ensure that DS IA staff working with XXX SMEs will utilize XXX content, 
Federal regulations, and industry best practices. 
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8. Prepare course material as appropriate, to include instructor material, student 
guides, PowerPoint slides, and other course activities. 

9. Provide one paper copy and one master electronic copy of all material to the XXX 
task manager. The material and content will become XXX property. 

Course Instruction 

10. Responsible for duplication (printing) and delivery of student materials to 
classrooms. 

1 1 . Provide instructors that have the requisite teaching skills and fully understand the 
course content and objectives. 

12. Submit to XXX a pass/fail form for each class, which will be used to identify the 
grade of each attendee. 

13. Distribute to the students who satisfactorily complete the course a signed Completion 
of Training Certificate. 

14. Make adjustments to the curricula as necessary, and as agreed upon by XXX and 
DS. 

15. Provide and operate computer stand-alone equipment for the class, as necessary. 
The DS instructor will setup the network the day prior to the class and dismantle 
the network at the end of the class. 

16. Report to the XXX Project Coordinator, the number and identification of XXX 
students who successfully complete each class. 

IV. DURATION OF AGREEMENT 

The period of performance of this agreement is October 1, 2010 to September 30, 201 1, 
with four option periods that XXX may exercise at its discretion each to begin on October 
1 st and end September 30 l of the applicable fiscal year. 

V. MODIFICATION AND TERMINATION : Modifications to this Agreement must be in 
writing and agreed to by the parties. This Agreement may be terminated by either party 
upon thirty (30) days advance written notice. If XXX cancels the order, DS is authorized to 
collect costs incurred prior to cancellation of the order plus any termination costs. 

VI. FUNDING : XXX agrees to transfer funds to pursuant to a monthly billing 
statement after services have been performed not to exceed $XXXXX.OO support 
DS' activities under this Agreement. Transfer of funds will be by means of the 
Intra-Governmental Payment and Collection (IP AC) System. The XXX/DoS 
Agreement number must be cited on all IPAC submissions. 

No later than 30 days after an accountable event, DS shall provide XXX with a 
performance report (e.g., a billing statement) that details all work performed to date. 
On a monthly basis the parties will reconcile balances related to revenue and 
expenses for work performed under the Agreement. 
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In the fourth quarter of each fiscal year, XXX will provide DS with an estimate of 
training services needed for the next fiscal year. DS will provide XXX with the 
anticipated costs for the services requested. 



VII. REIMBURSEMENT 

a. XXX will reimburse DS for all estimated costs associated with the development 
and provision of Information Assurance role -based training. 

b. The ceiling value of this agreement will be established on a fiscal year basis. 
XXX will reimburse DS in accordance with cost schedules and procedures 
specified in Appendices. Reimbursement will be accomplished through Inter- 
governmental Payment and Collection (IP AC) procedures. 



VIII. POINTS OF CONTACT : 

XXX Project Coordinator : DS Project Coordinator : 

Name 

Title 

Agency 

Address 

Attn: Office Code 
City/State/Zip 
Telephone: 
Email: 



FBI Accounting/Finance Contact : 

DoS Accounting/Finance Contact : 

Name 
Title 
Agency 
Address 

Attn: Office Code 
City/State/Zip 
Telephone: 
Email: 



Information Assurance Section Chief DS, Information Assurance Branch 

Name Chief/Dispute Resolution : 

Title 

Agency 

Address 

Attn: Office Code 
City/State/Zip 
Telephone: 
Email: 
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IX. 



AUTHORITY : The authority for this Agreement is the Economy Act, 31 U.S.C. § 1535. 



X. INTEGRATION CLAUSE : This Agreement, including Appendix 1 and the Statement of 
Work, constitute the entire Agreement of the parties with respect to its subject matter. 
There have been no representations, warranties or promises made outside of this 
Agreement. This Agreement shall take precedence over any other documents that may be 
in conflict with it. 

XI. DISCLAIMER : FBI will not accept responsibility for reimbursement of late fees or other 
costs incurred due to the negligence of the servicing agency in complying with its 
obligations to third party contractors. 

XII. DISPUTE RESOLUTION : Disagreements between the parties arising under or relating to 
this MOA will be resolved only by consultation between the parties and will not be referred 
to a local, state, or federal court. 

XIII. AUTHORIZING SIGNATURES AND DATES : The signatories below warrant and 
represent that they have the competent authority on behalf of their respective agencies to 
enter into the obligations set forth in this Agreement. 



XXX 



United States Department of State 



Name 
Title 
Office 
Date: 



Tracy Mahaffey 

Executive Director, Diplomatic Security 



Date: 



Name 

Title 

Office 



Date: 
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Appendix 1: Statement of Work 
Information Systems Security Line of Business (ISS LOB) Tier Two Training 

1. Task Manager (TM) 



a. Primary: 



Name: 




Organization: 




Address: 




Phone No.: 
BB: 




Fax No.: 




Internet Address: 




b. Alternate: 


Name: 




Organization: 




Address: 




Phone No.: 




Fax No.: 




Internet Address: 




Background 



Due to the scope of the Department of State (DoS) mission, it has developed a reputation as a leader in 
training United States Government (USG) employees in many areas. In particular, DoS Bureau of 
Diplomatic Security (DS), Diplomatic Security Training Center (DSTC) has been approved as an ISS 
LOB Tier Two Training Shared Service Provider (SSP) for comprehensive information systems and 
cybersecurity training services. The XXX has the responsibility to provide information security and 
cybersecurity training to those employees designated as having significant information security 
responsibilities. 

XXX is interested in utilizing an ISS LOB SSP capability. In response to the Federal Information 
Security Management Act's (FISMA) requirements and following the National Institute of Standards 
and Technology (NIST) Information Security Training Guidelines (SP 800-16), XXX will identify and 
prioritize significant information security roles requiring consistent and uniform training. DoS DSTC 
will facilitate XXX' s efforts to utilize federally approved and standardized cybersecurity curriculum by 
customizing the current DoS curriculum and by providing instructor-led training, thereby embedding a 
common approach to cybersecurity training and professional development throughout the Federal 
government. 

This Statement of Work (SoW) between XXX and DoS, sets forth the tasks that DoS DS Role-Based 
Information Assurance Training Curricula will perform to enhance a XXX corps of information 
security professionals. 
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3. Scope 



This SoW, consisting of the specific tasks below, shall comprise the scope of work for the DSTC. 
DSTC, the servicing agency, will provide central management and oversight for all tasks within this 
SoW, as well as any derivative sub-contracts. As the Lead for this SoW, DSTC will utilize expertise 
currently existing within the DoS and other Federal, academic, and private entities to accomplish the 
tasks outlined in this SoW. 

4. Tasks 

In addition to the responsibilities of the parties, as set forth in the accompanying MOA, this SoW 
defines tasks that DSTC will perform for program management and information security training 
services following the ISS LOB Tier Two Training guidelines for shared service providers. 

4.1 Program Management 

4. 1 . 1 Project Plan: Provide a draft and final Project Plan for XXX review and approval. 

4.1.2 Progress Reports: Provide a monthly progress report to the XXX Task Manager via 
electronic mail. This report shall include a summary of all work performed or to be 
performed by DSTC related to this project. 

4.1.3 Progress Meetings: Ensure DSTC personnel are available to meet with the XXX 
Task Manager upon request to present deliverables, discuss progress, exchange 
information, and resolve emergent technical problems and issues. 

4.2 ISS LOB Tier Two Training Services 

4.2. 1 Tailor existing DoS information security role -based training to XXX requirements. 
XXX will review course offerings shown below and will prioritize courses for 
customization and implementation. XXX may prioritize courses in a phased 
approach. 

4.2.2 Implement the delivery of courses following the approved project plan. 

4.2.3 Ensure all products meet Federally-mandated requirements and requirements 
specified in the XXX policies and procedures. 

5. Place of Performance 

The work supporting this tasking will be performed at the DSTC facilities and if necessary at 
supporting subcontractors and other institutions' facilities. Training implementation will be performed 
at XXX facilities, unless otherwise specifically requested and approved by the XXX Task Manager. 
Travel between DoS facilities and XXX is anticipated to conduct interviews or forums and for training 
implementation. XXX will reimburse DSTC for travel related costs as an Other Direct Cost. 
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6. Deliverable/Delivery Schedule 



As noted in Table 1, Deliverable and Delivery Schedule, DSTC will provide a draft project plan for the 
stated period of performance for XXX approval within fifteen (15) business days after receiving the 
designated funding and the prioritized list of courses. A final project plan will be submitted within 
thirty (30) business days of submission of draft project plan. The project plan will include deliverables 
and milestones for each agreed-upon task and respective subtasks. DSTC will deliver copies of all 
documents and reports to the XXX Task Manager in soft copy. 



Deliverable 


Delivery Schedule 


Responsibility 


Phase I 

Prioritized List of 
ISS LOB 
Training Courses 


5 business days after MOA/SoW 
approval 


XXX 


Draft Project 
Plan 


15 days after receipt of funding 
and Phase I prioritized ISS LOB 
training courses 


DSTC 


Final Project 
Plan 


30 days after submission of draft 
project plan 


DSTC 


Customization of 
training courses 


1 st quarter of MOA/SoW, then 
follow project plan delivery 
schedule 


DSTC 


Implementation 
of training 
courses 


1 st quarter of MOA/SoW, then 
follow project plan delivery 
schedule 


DSTC 


Table 1 : Deliverable and Delivery Schec 


ule 
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7. Course Descriptions 



Table 2 contains a list of current courses that can be customized to XXX. (Select those you desire) 



Course Description 


Role 


Course Number, Course Title and 
Description 


Est. Length 
of Course 


Maxim 
um 
Class 
Size 


#of 

Classes 

Offered 


ISSOs 


Information Assurance (IA) for 
Application laaus 

Information on applicable Federal 
laws, regulations, and procedures for 
system authorization. Topics 
include information technology 
initiatives; threats; vulnerabilities; 
risk management; operational, 
management, and technical controls; 
system security plans; system 
auuiurizauuii, continuous 
monitoring, and incident reporting. 


3-5 days 
^aeierminea 
during 
customizati 
on phase) 


20 


TBD 


ISSOs 


IA for Site ISSOs 

Information on applicable Federal 
policies and procedures pertinent to 
site ISSOs. Topics include those 
for the application ISSO with an 
emphasis on site physical and 
personnel controls, as well as 
continuous monitoring and incident 
reporting. 


3-5 days 
(determined 
during 
customizati 
on phase) 


20 


TBD 


System 

Administrators 
(Windows) 


IA for System Administrators 
with Primary Responsibility for 
Windows-Based Systems. 

The lecture portion discusses 
security configuration guidelines 

■in H q CT( =% r\r*\r nnlifMf^e qtiH t~\ rr\ r* ip H 1 1 ro c 

Also included is an overview of 
vulnerabilities, threats, the 
importance of controls, and risk 
management. The remaining 
portion of the class is devoted to 
hands-on exercises that guide 
students in implementing current 
security configuration requirements 
for Microsoft Windows servers and 
workstations. 


4-5 days 
(determined 
during 
customizati 
on phase) 


16 


TBD 
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Course Description 


Role 


Course Number, Course Title and 
Description 


Est. Length 
of Course 


Maxim 
um 
Class 
Size 


#of 

Classes 

Offered 


System 
Owners 


IA for System Owners 

Provides information security 
requirements ior system owners 
following NIST guidance. Topics 
include vulnerabilities, threats, and 
controls; risk management; and the 
operational aspects associated with 

ay alt/Ill dUlllUilZjdllUll. 


3-4 hours 


14 


TBD 


Authorizing 
Official 


IA for Authorizing Officials 

Information security requirements 
for authorizing officials. Focus is on 
risk management and the acceptance 
of risk for an authorizing official. 


2-4 hours 


12 


TBD 


Managers 


IA for Managers 

Provides managers with topical 
lniurmaiiun managers rcspunsiuic 
for managing information security 
programs and employees. During 
the course, attendees will also 
participate in multiple group 
problem solving exercises. 


2-3 days 


15 


TBD 


Senior Level 
Managers 


IA for Senior Level Managers 

Provides senior-level managers with 
ine Knuwieuge anu skiiis iu evaluate 
the components of an information 
assurance program with regard to 
critical business functions and the 
agency's information assurance 
i equn emeiiis. 


1 day 


15 


TBD 


Executives 


IA for Executives 

This seminar emphasizes the critical 
role of executive-level leadership in 
protecting the agency's information 
and information systems. 


3 hours 


15 


TBD 


Programmers, 

rA.uuilCa. ll vJll 

Project 
Management 


Security for Application 

L/C V C1UJJC1 a 

Intended for programmers and 
developers who are designing and 
developing software applications for 
internal use at the Department. 1- 
day overview course for all. 


1 day 


12 


TBD 
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Course Description 


Role 


Course Number, Course Title and 
Description 


Est. Length 
of Course 


Maxim 
um 
Class 
Size 


#of 

Classes 

Offered 


rrograiriniers 


aecuriiy ior .iMHii ueveiopers 

Intended for programmers and 
developers who are designing and 
developing software applications for 

lllLCIIldl USC dl LI1C Ucpdl LIIlcIlL using 

.NET. 


2 days 




TD p> 
1 D U 


Programmers 


IA for Database Administrators 

Intended for employees who design, 
develop, operate, and maintain 

UdLdUdsC appilCaLlUIls. 


2 days 


12 


TBD 


Programmers 


Security for Website Developers 

In i i^nrii^ri tot* ni*nirrQiniTiprc onn 
111LC11L1CL1 1UI UlUgl allllllCI & allti 

developers who are designing and 
developing external and internal 
websites. 


2 days 


12 


TBD 


ISSO's 


Continuous Monitoring for 
ISSO's 


Pending 
design 






executives 


JvisK scoring ior H/Xecuiives 

Intended for agency senior managers 
who need to embrace risk 
management and the risk scoring 
tool. 


z-j nours 
(could be 
webinar) 
Pending 
design 


i « 
i j 


TD Pi 
1 D U 


Program 
Managers 


Risk Scoring at the Operational 
Level 

Intended for agency operational staff 

W11U 11CCLI LU 1111U1CI11C11L LUC Il&JS. 

scoring tool. 


Pending 
design 


TBD 


TBD 


ISSOs, System 
Administrators 
, Program 
Managers 


Responding to Cyber Incidents 

Intended for employees who respond 
to internal CIRT alerts and other 
related types of incidents. 


Pending 
design 


TBD 


TBD 


Data Center 

1 — 1 i 1 1^ 1 1(3 C XT' 

rieip uesK 


Information Security for Data 

( iinl or- tf off 

i^enier aian 

Intended for Tier 1 Help Desk staff 
at the data center who need an 
information security course 

C U a LVJ L11C agCHC^ a pUllCICa 

and procedures. 


Pending 
jesign 


TBD 


TBD 


Acquisition 


IA for Acquisition Professionals 

Intended for employees involved in 
the Information Systems acquisition 
process. 


Pending 
design 


TBD 


TBD 
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Course Description 


Role 


Course Number, Course Title and 
Description 


Est. Length 
of Course 


Maxim 
um 
Class 
Size 


#of 

Classes 

Offered 


[ ~V 1 1 ■ 1 I , 1 H t ( 1 1" 
LJtXltX V_*C111C1 

Tier 2, 

Network 

Engineers, 

Network 

Administrators 


Engineers 

Intended for operational network 
engineers located at an agency's 
data center. 


Dp n H i n ct 

design 


1 1)17 


1 1 ) 1 V 



Table 2: Course Descriptions 



8. Cost Estimate 

Table 3 provides a cost estimate for XXX course of XX students per course, which includes the project 
plan, course customization, course implementation. The total projected annual cost for this period is 
$XXXXX.OO. (Each course will require a separate Cost Estimate) 



TASK 


Project Plan 

(can be included in 
the customization 
and implementation 

costs) 


Course 
Customization 


Course 
Implementation 


Total 


Task Labor 










Course X 










Total costs 
per Task 










Acquisition 
Fees 










Total Cost 











Table 3: Cost Estimate 
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Reimbursement Method 



Reimbursement will be accomplished through Inter-governmental Payment and 
Collection (IP AC) procedures based on the following accounting information: 

Obligation Document Number: 
Appropriation Code: 
ALC for IP AC purposes 
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Determination and Findings Statement 



XXX 

DETERMINATION AND FINDINGS 
USE OF INTERAGENCY AGREEMENT 



I HEREBY FIND THAT: 

(1) The XXX proposes to enter into an Agreement with the U.S. Department of State Bureau of 
Diplomatic Security for the DS Role-Based Information Assurance Training Curricula because 
the XXX does not have sufficient in-house resources to successfully complete this effort. 

(2) The Department of State (DoS) has developed a reputation as a leader in training United States 
Government employees in many areas. In particular, DoS Bureau of Diplomatic Security (DS), 
Diplomatic Security Training Center (DSTC) has been approved as an ISS LOB Tier Two 
Training Shared Service Provider (SSP) for comprehensive information systems and 
cybersecurity training services. 

(3) The proposed period of performance of this effort is to coincide with the MOA agreement. 

(4) The ceiling price for the proposed effort is $XXXXX.OO. 

I HEREBY DETERMINE THAT: 

On the basis of the above findings, and in accordance with section 17.503 of the Federal Acquisition 
Regulation: 

(1) Use of an interagency acquisition is in the best interest of the Government; and 

(2) The supplies or services cannot be obtained as conveniently or economically by 
contracting directly with private source. 



RECOMMENDED: 

Date 

Name 
(COTR) 

CONCUR: 

Date 

Name 

(Authorizing Officer) 
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